Why can you still access the IP after fail2ban has banned it?
Posted by Valvesoft@reddit | linuxadmin | View on Reddit | 15 comments
I ran vaultwarden using Docker:
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
ports:
- "127.0.0.1:8001:80"
volumes:
- ./:/data/
- /etc/localtime:/etc/localtime:ro
environment:
- LOG_FILE=/data/log/vaultwarden.log
Then, bitwarden.XXX.com can be accessed via Nginx's reverse proxy, which is wrapped with Cloudflare CDN.
After configuring fail2ban, I tested it by intentionally entering the wrong password, and the IP was banned:
Status for the jail: vaultwarden
|- Filter
| |- Currently failed: 1
| |- Total failed: 5
| `- File list: /home/Wi-Fi/Bitwarden/log/vaultwarden.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 158.101.132.372
But it can still be accessed, why is that?
aenae@reddit
fail2ban defaults to iptables. The log probably logs your real IP. But that ip connects to Cloudflare, cloudflare connects to your nginx proxy and your nginx proxy connects to bitwarden.
So from an iptables point of perspective, the connection comes from some internal address. It never sees the external address. Even if it did, it would see the cloudflare address at best.
You need a different method of blocking, based on http-headers, not the network request.
kaipee@reddit
In that case every connection would be blocked, as it would block the reverse proxy.
More likely that the block action isn't properly defined.
schill_ya_later@reddit
I believe you can configure the web server (e.g., Apache) to reveal the original client IP by using headers like X-Forwarded-For or CF-Connecting-IP, assuming Cloudflare is properly set up to pass that information. Fail2ban can then parse logs with proper headers and directives that should then include the true client IP, rather than Cloudflare’s. This allows Fail2ban to act on the actual sender’s IP, even behind a reverse proxy and CDN.
Not sure if it's a fix but hope it helps.
thoriumbr@reddit
If Cloudflare passes the X-Forwarded-For header, this is not a fix, but the opposite of a fix.
The attacker can forge the header, so as soon as Fail2Ban blocks it, he changes the header and keeps attacking. He can even block your proxy by using its IP in the forged header.
ITaggie@reddit
Cloudflare writes the header and adds it, then passes that onto the origin server
kaipee@reddit
You can, and that's how it should be. Otherwise you will only pass the local IP of the reverse proxy, which is my point
aenae@reddit
Not perse. The IP is taken from the log file, and it is not that hard to log the real IP from the Forwarded headers instead of the proxy IP (which would be useless).
In the example there is no real IP given, so we can't check if the real IP is logged, but it is trivial to log the correct IP. If you don't you will indeed probably block the proxy.
Either way, the block action isn't correctly defined, even if it was defined and uses iptables; that wouldn't work.
donjulioanejo@reddit
Cloudflare exposes real IP as a header.
nekokattt@reddit
that doesn't affect what is on the TCP header
aenae@reddit
I know, but cloudflare connects to the proxy, which might also be where iptables runs. Either way, you dont want to block cloudflare or your proxy
aioeu@reddit
Fail2ban doesn't block anything.
What Fail2ban does do is run a "ban" action command when an IP should be banned, and an "unban" action command when the IP should be unbanned. If those commands are wrong, Fail2ban wouldn't know or care.
Check that the
banactionyou have configured is actually applicable for your system.twhiting9275@reddit
this, right here. Check the logs, make sure the action is properly used.
arvidsem@reddit
The default fail2ban rules block specific IP and port combinations. It only blocks access to the specific service that it caught the failure on unless you adjust the action to do something more
LordSkummel@reddit
Docker and deny rules in iptables can be a bit tricky to get right at times. Docker makes changes to iptables when you start a container. Those rules are often prioritized over the rules fail2ban adds when it blocks an ip.
babal80198@reddit
F2B uses iptables or nftables command, check them and check jail.conf.